Card not present (CNP) transactions are those where the purchase is made without presenting the physical card to the merchant at the point of sale. As more and more physical stores are using EMV-compliant terminals, Javelin Strategy & Research credit card fraud statistics report that card-not-present fraud is now 81% more likely to happen than card-present fraud. Card-not-present transactions can be done via online merchants, telephone orders, or mail. There are various modus operandi to commit CNP fraud, such as account takeover using phishing scams, malware infection to capture keystrokes, or friendly fraud. In such scenarios, the cardholder is involved in the fraud, and it is kind of a personalised attack. However, today we will talk about an impersonal attack where a fraudster exploits a BIN (bank identification number) and uses distributed computing power to automatically generate the remaining numbers and test these combinations to see which card numbers are correct and if the cards are active. This kind of attack is called BIN attack fraud. The subtlety of BIN Attack fraud is that it does not involve any data breach or ID theft; it is just a pure random coincidence that a victim’s card number is chosen.
The compromised cards can have a significant impact on issuing banks in terms of chargebacks, call c entre volume spikes, and re-issuance expenses. Furthermore, any cardholder disruption or friction during this tenure leads to a loss of interchange revenues. The damage to the bank’s reputation could lead to cardholders switching the bank’s services to another, more secure bank.
A merchant involved in BIN attack fraud faces increased disputes or chargebacks, additional fees, and regulatory fines. Depending on the nature of the attack and risk profile, the acquiring bank may choose to suspend support for the merchant’s site. The cardholder’s bank may restrict purchases from your site, resulting in further financial losses. Refunding any fraudulent transactions is an operational challenge, not to mention the reputational loss.
Thus, BIN attack fraud is a problem both for issuers and merchants.
Preventing a BIN Attack Fraud
To prevent BIN attack fraud, the merchant or the issuing bank can deploy a few techniques:
- Enable 3D security. The latest version of EMV 3DS 2.x is an additional security layer for online credit and debit card transactions that aims to achieve a balance between security and user convenience.
- As a merchant, enable a CAPTCHA test to tell humans and bots apart. While this may create friction for genuine customers, it’s an effective deterrent against BOT scripts.
- Deploy an anti-fraud solution that can look at many aspects and block transactions or alert your fraud analyst. A good anti-fraud solution should have:
- Ability to spot multiple low-value transactions (unusually low for the merchant’s business).
- Multiple declines within a short period
- The timing of transactions may be unusual for the merchant, business, or cardholder.
- A large number of transactions from the same BIN were attempted in a short period of time (a few seconds apart).
- IP Velocity Checks: Even though these days, through proxy and spoofing, fraudsters can make it seem that the transactions are coming from different IPs, Use an anti-fraud solution that deploys good device fingerprinting techniques to solve this issue, as fingerprinting is impervious to IP proxies.
- Unusually large volume of international transactions for a given merchant or for a cardholder.
- Look for patterns, cards with sequential numbers, the same card number but different expiration dates, or CVV codes.
- Ability to create a profile for the merchant and cardholder and alert in case of any significant deviations.